mongodb/kingfisher v1.84.0

Kingfisher v1.84.0

on GitHub

[v1.84.0]

• Added/updated pipedrive and amplitude rules
• Access Map: added Buildkite provider. Enumerates token scopes, user identity, organizations, and pipelines with severity classification based on scope risk.
• Access Map: added Harness provider. Uses x-api-key authentication to enumerate organizations/projects when permitted (best-effort).
• Access Map: added OpenAI provider. Supports standalone access-map openai and automatic mapping for validated kingfisher.openai.* findings. Enumerates organizations (from /v1/me), projects, and API key permission scopes by probing endpoints for restricted key detection.
• Access Map: added Anthropic provider. Supports standalone access-map anthropic and automatic mapping for validated kingfisher.anthropic.* findings.
• Access Map: added Salesforce provider. Supports standalone access-map salesforce (token + instance) and automatic mapping for validated kingfisher.salesforce.* findings.
• Added Weights & Biases support: new kingfisher.wandb.2 rule for wandb_v1_... keys (legacy kingfisher.wandb.1 retained), plus Access Map provider/CLI support (weightsandbiases, alias wandb).
• Reports: always emit validate/revoke command hints when supported by a rule (no suppression for missing template vars).
• Access Map GCP: added resource enumeration for Cloud KMS key rings, Cloud Functions, Firestore databases, Cloud Spanner instances, and project service accounts.
• Access Map GCP: populated token_details with service account metadata (display name, unique ID, disabled status).
• Access Map GCP: fixed BigQuery and Secret Manager risk assessment to detect write permissions and secretmanager.versions.access.
• Access Map GCP: added risk notes for KMS decrypt, Cloud Functions deploy, instance metadata injection, and secret value read access.
• Access Map GCP: expanded testIamPermissions fallback with 11 additional permission candidates.